In today’s age, online privacy and security is more valuable than ever. These are some measures I take to mitigate the risk of attack and reduce the amount of information about me that floats around on the web.

Browsers

Most people use the browser extensively. With prolonged use, some browsers learn more about you and your habits. Using one that is connected to your search engine, social media accounts, and shopping sites only exacerbates this issue (ahem Chromium).

I break that link by using Firefox. Out of the box it’s not the most secure browser, but it can easily be configured to be much safer. It’s perfect for activities that come with ads and trackers such as casual browsing, reading blogs, or consuming media.

Some of the addons that I use with Firefox:

  • uBlock Origin - The best content blocker. It blocks ads, tracking, and malware domains.
  • ClearURLs - Clears urls of tracking information such as referrals or other information.
  • Decentraleyes - Improves your privacy by emulating CDN with local resources.
  • HTTPS Everywhere - Enforce visiting secure sites with https instead of http.

There are also a few about:config tweaks that I made, which you can set for yourself with this guide. I’ve also enabled DNS over HTTPS with Cloudflare as a provider.

Mac DNS

With my browsing content encrypted with HTTPS Everywhere, the next step is to encrypt DNS requests.

DNSCrypt

I use the DNSCrypt protocol with the dnscrypt-proxy as a client. To install on Mac

1
brew install dnscrypt-proxy

Then you can configure the settings how you want it in /usr/local/etc/ in the dnscrypt-proxy.toml file. I wanted to block ads and malware on the DNS level (with uBlock Origin being an additional layer for peace of mind). To do this, I added AdGuard DNS to the server list that I use. There are also many other great public servers that you can use.

1
server_names = ['adguard-dns-doh', 'cloudflare']

From there, you can start the service with

1
sudo brew services start dnscrypt-proxy

Check that the service is running with sudo lsof +c 15 -Pni UDP:53. If you changed the listening ports, reflect that in the command after UDP:. You should see your command listed.

1
2
COMMAND        PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
dnscrypt-proxy 178 root    9u  IPv4 0x9dd59d9c654b6511      0t0  UDP 127.0.0.1:53

However, you won’t be using this DNS until you tell your Mac to use it. You can do this with

1
networksetup -setdnsservers Wi-Fi 127.0.0.1

or by going into System Preferences->Network->Wi-Fi->Advanced->DNS and adding 127.0.0.1 to the list. You can leave your current DNS as a fallback in case this fails, but I set up AdGuard as backup, and then Cloudflare. To confirm that you set this up correctly,scutil --dns | head and you should see a list of your DNS resolvers.

1
2
3
4
5
6
7
8
9
DNS configuration

resolver #1
  nameserver[0] : 127.0.0.1
  nameserver[1] : 94.140.14.14
  nameserver[2] : 94.140.14.15
  nameserver[3] : 1.1.1.1
  nameserver[4] : 1.0.0.1
  flags    : Request A records, Request AAAA records

To confirm that dnscrypt-proxy is working run, dig in the terminal and confirm that the server address is 127.0.0.1#53. Your output should look something like this.

1
2
3
4
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 27 18:37:51 PDT 2020
;; MSG SIZE  rcvd: 239

Also, after enabling, you can test DNSSEC validation - dig google.com.

1
2
3
4
5
; <<>> DiG 9.10.6 <<>> +dnssec google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32850
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

And failure - dig www.dnssec-failed.org.

1
2
3
4
5
; <<>> DiG 9.10.6 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Finally, you can check your ESNI security with Cloudflare.

Privoxy

I also use Privoxy to filter ads and other content with their default configuration.

1
2
brew install privoxy
sudo brew services start privoxy

You need to tell your Mac about this new proxy, which you can do with

1
sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118

or by going into System Preferences->Network->Wi-Fi->Advanced->Proxies and enabling HTTPS. Ensure that it’s set with scutil --proxy.

1
2
3
4
5
<dictionary> {
  HTTPSEnable : 1
  HTTPSPort : 8118
  HTTPSProxy : 127.0.0.1
}

Check that your proxy is working with ALL_PROXY=127.0.0.1:8118 curl ads.foo.com/ -IL.

1
2
3
4
5
6
7
8
HTTP/1.1 403 Request blocked by Privoxy
Content-Length: 8800
Content-Type: text/html
Cache-Control: no-cache
Date: Sun, 28 Jun 2020 19:39:26 GMT
Last-Modified: Wed, 08 Jun 1955 12:00:00 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache

iPhone

NextDNS

I use NextDNS for my DNS provider on iOS. It has some neat features including analytics and blocklists (for ads and malware). If you use the free version it gives you up to 300,000 queries a month, and only costs $2/month afterwards. I’ve recently opted to use this instead of Cloudflare’s 1.1.1.1. I always leave this on as it’s safe and important to use over any WiFi or cellular network. I’ve seen no network speed slowdowns, and so I always leave it on no matter what I’m doing.

AdGuard + 1Blocker

I use AdGuard and 1Blocker as an extra layer of security while browsing on my iPhone. They’re great content blockers that work with Safari.